The Complete CPA Cybersecurity Compliance Guide

The FTC Safeguards Rule (16 CFR Part 314) classifies CPA firms, accountants, and tax preparers as "financial institutions" under the Gramm-Leach-Bliley Act. Since the June 2023 compliance deadline, every CPA firm — regardless of size — must maintain a comprehensive written information-security program that meets nine prescriptive requirements. The most impactful requirements for CPA practices include: designating a Qualified Individual responsible for the security program, conducting a written risk assessment that identifies threats to client financial data, encrypting client information both in transit and at rest, enforcing multi-factor authentication on all systems that access client data, implementing continuous monitoring or periodic vulnerability assessments, and creating a written incident-response plan. Firms with fewer than 5,000 customer records qualify for a simplified compliance path on certain documentation requirements, but they must still implement the technical controls. The FTC has pursued enforcement actions against tax preparers and accounting firms, with settlements ranging from $100,000 to over $500,000. The agency has made clear that small firm size is not a defense — the obligation to protect client financial data applies equally to a solo practitioner and a Top 25 firm. Penalties accrue at up to $50,120 per violation per day, meaning a firm that has been non-compliant since the 2023 deadline faces potentially catastrophic financial exposure.

IRS Publication 4557, "Safeguarding Taxpayer Data," is the IRS's security guidance specifically for tax professionals. While technically advisory rather than mandatory, the IRS ties compliance to Electronic Filing Identification Number (EFIN) maintenance. Tax professionals who suffer a data breach and cannot demonstrate they followed Pub 4557 guidance risk EFIN suspension or revocation — effectively shutting down their ability to e-file returns. Pub 4557 maps closely to the FTC Safeguards Rule but adds tax-specific requirements. It mandates the use of EFIN and PTIN protections, requires tax professionals to report data theft to the IRS Stakeholder Liaison within their state, and provides a "Taxes-Security-Together" checklist covering anti-virus software, firewalls, encryption, multi-factor authentication, secure remote access, and data backup procedures. The IRS also recommends participation in the Information Sharing and Analysis Organization (ISAO) for tax professionals. For CPA firms that offer both tax and advisory services, Pub 4557 creates an additional compliance layer on top of the FTC Safeguards Rule. However, because the requirements substantially overlap, a well-designed security program satisfies both. Cyber Defense Agent scans verify the external-facing technical controls that both the FTC and IRS expect — TLS encryption on client portals, email authentication (SPF, DKIM, DMARC), properly configured firewalls, and absence of exposed services that could provide an attack vector to client tax data.

The AICPA has established cybersecurity reporting frameworks that, while voluntary, are increasingly expected by clients, referral partners, and regulators. The AICPA Cybersecurity Risk Management Reporting Framework provides a standardized way for CPA firms to communicate the effectiveness of their cybersecurity programs. The AICPA also publishes the SOC for Cybersecurity engagement standard, allowing firms to obtain an independent examination of their cybersecurity risk-management program. Beyond formal reporting, the AICPA Code of Professional Conduct — specifically the Confidentiality Principle (ET Section 1.700) — obligates members to protect confidential client information from unauthorized disclosure. As cyber threats to accounting data have intensified, AICPA interpretive guidance has clarified that this obligation extends to implementing reasonable cybersecurity measures. A CPA who stores client financial data on an unencrypted laptop or uses weak email passwords may face an ethics complaint even without a breach. For firms that serve as service organizations — hosting client accounting data, providing cloud-based bookkeeping, or processing payroll — SOC 2 compliance has become a de facto requirement. Enterprise clients and their auditors demand SOC 2 Type II reports covering the Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy). Cyber Defense Agent does not replace a SOC 2 audit, but it provides the continuous external monitoring that auditors look for when evaluating the security criterion, and it generates evidence artifacts that simplify the audit process.